From the "stating the bloody obvious" department comes this quote: "Dealing with widespread worms like Sasser raises the cost of using Windows, a research analyst said Wednesday." (Still, at least Sasser was a creative work, for a change, taking advantage of an actual coding flaw, rather than yet another "run me for boobies!" script. If only those sorts of trojans could destroy the hardware in question.. I'm no Windows admirer, but actively choosing to run an anonymous program really ought to have some sort of penalty attached)

*sigh* I feel so left out.. I don't think we really had a full street address where I came into the world. (Certainly, no street - just us on our little spur, and a few other houses off the main road. And a mailbox! I think there was even a phone booth, too)

And for some reason, that was first typed as "toad". Which does conjure up some wonderful James and the Giant Peach style imagery. Reminds me, I still haven't seen Tim Burton's version of that..

From the "incredibly long shot" department: I don't suppose anyone would have a subtitles file for Maratonci trce pocasni krug, a Serbian comedy about a family of undertakers? It looks promising, but being able to understand the dialogue would be helpful.

Beer of the Day: Wells' "Banana Bread Beer", a surprisingly well-balanced bitter, with only a modest fruit influence, yet still enough to be rewarding. It may sound like a peculiar combination, but it's easily worth a try. (Available, amongst other places, at Asda, as part of their uniform "any three for £4" pricing)

Good grief.. I was pleasantly surprised how well William Hague (former leader of the UK Conservative party) acquitted himself on Have I Got News For You. He really seemed to fit in. Maybe this should be a mandatory part of the General Election procedure? (If I could ever see Shrub in that position, I'd maybe not kill to see it, but at least breathe heavily on someone following a hearty evening of sushi)

> If only those sorts of trojans could destroy the hardware in question..

I'm surprised no-one has already. It should be feasible. One could drive the monitor at some insane refresh rate pretty easily.

With the older ATA drives, you were always cautioned against trying to over-manage drive routines when programming, as there was a danger of crashing the heads. I'm guessing the newer drive controllers won't allow that, as I've seen no reference to it for years (actually, it's been years since I've seen any reference at all to drive control routines).

Like you said though, most of the people who release trojans are script kiddies, and probably don't understand the possibilities.

Ack! I must have mislaid my reply.. oh well. I'm fairly certain I wasn't due for a knighthood anyway.

I wonder.. it'd be fun to play with the low-level commands, and see what's actually blocked. I'd hope simple stuff like just futzing with the head position rapidly would be intercepted - certainly, nobody need ever worry about parking heads any more.

I'm surprised no-one has already. It should be feasible. One could drive the monitor at some insane refresh rate pretty easily.

I used to hear about monitors popping due to incorrect XFconfig settings under Linux, but I've noticed newer monitors send to simply shut off when fed strange frequencies. OTOH, my Toshiba notebooks flat screen does a really amazingly scary 'melting' effect whenever I try to install Nvidia drivers not 'certified' by Toshiba for my model, which is unfortunately anything later than 2000.

With the older ATA drives, you were always cautioned against trying to over-manage drive routines when programming, as there was a danger of crashing the heads. I'm guessing the newer drive controllers won't allow that, as I've seen no reference to it for years (actually, it's been years since I've seen any reference at all to drive control routines).

A little known, rarely used feature of IDE drives is a special 'lock' function which enables a drive-firmware level password protection on the drive. A evil virus author could use it to lock people out of their data, including hardware-level disk recovery tools. The password is 512-bits long, so trial and error would be out of the question.

Others have commented that this article ignores the cheapest way to deal with the problem: replace Windows with a real operating system! Linux just works, for months on end; Windows needs continuous patching. Which one is *really* easier to use?

Once Linux becomes as widespread as Windows, you'll have the exact same issues. Look at the patch list for Mandrake 9.2 (my current favourite). You've got at least four patches to fix critical vulnerabilities that allow the machine to be remotely rooted.

Part of the issue is that Linux appeals now mainly to geeks, who'll keep their machines patched and firewalled. There's just not enough open machines out there to spread an infection easily. Once home users start in with Linux, that'll begin to happen.

There's an additional factor in play, in that serious hackers don't reveal the vulnerabilities of their targets. Script kiddies think it's fun to crash stuff. The possibilities of exploiting a buffer overflow to root a box or install backdoors doesn't occur to them. They're sort of performing a public service by pointing up holes, if you look at it that way. It's the difference between a burglar who sneaks in via the unsecured window, and the punk kid who tosses in a string of firecrackers.

Not to contest your point, but it seems only the mplayer patch (and possibly xchat) is likely to affect home users. An exploit that requires the user to run ethereal won't spread well among homebodies!

My Linux box runs behind a firewall that's built into my cable modem. Perhaps naïvely, I consider myself immune to all attacks other than the Social Engineering kind. I don't even both installing Linux security patches anymore.

My wife runs XP behind the same firewall. I try to keep her patches up to date, since some of them have to do with webpages that can install trojans just by visiting them. Does Linux have that problem yet?

I'll never feel secure with Windows unless I'm behind a firewall. I have a Linux box that has been sitting naked (no external firewall, just ipchains) off of a very fast colo connection, that has gets hit by IIS/Ms-SQL related attacks minutely, and hit by (apparent) DOS/scrambled packets attacks almost as frequently. It was running for 440+ days without a single reboot until recently (mysterious power failure). If I see lots of strange activity from one IP address via my snort log viewer (ACID), I can quickly set up a rule in ipchains to ignore anything from that connection, or using that protocol/port, or any other condition.

Webpages that install trojans merely by visiting them is, according to Microsoft, a feature of Internet Explorer. It's also called ActiveX. I've never heard of such a problem with any of the browsers for Linux.

> My wife runs XP behind the same firewall. I try to keep her patches up to date, since some of them have to do with webpages that can install trojans just by visiting them. Does Linux have that problem yet?

You're right, of course. It's not there yet. My point is that something equally destructive is going to come for Linux, eventually. No-one's going to deliberately replicate a disaster like Active-X or Outlook, but something else will come along from the pressures of adapting Linux to the consumer market. Look how many of MS's security problems could be solved by just getting rid of a few of the 'magic' behaviours in Windows. They won't do that, because home consumers want that stuff, and don't really understand in any meaningful way how that connects to getting their machine infected. That's the market Red Hat and Mandrake are busy chipping away at, and their success is going to be pretty much proportional to their ability to deliver an OS/desktop combo that allows consumers to believe that they're in charge of the machine without requiring them to actually know anything about what they're doing. The need to deliver that false sense of empowerment is where the vulnerability arises, but it's also where the sales arise.

The worst thing Microsoft ever did was auto-execution of VBS from emails. No home user wanted that. They claimed this feature was supposed to make sysadmin easier, but I don't know any sysadmins who actually sent forced patches by email. It seemed to me when I first heard about it that the only people who actually wanted this "feature" were crackers.

Many of Windows' security problems are caused by such poorly-designed features. Others are caused by monoculture: "one browser to rule them all". Since there are so many Linux chat clients, a security hole in xchat can't spread very widely.

"I don't think we really had a full street address..."Aww...At least you had a phone booth! And a mailbox! Was it a nice phone booth and mailbox? If it makes you feel any better, I had killer bees beneath my backyard.

Have you tried pumpkin pie beer, by any chance? Very odd. Good, but odd.

Even on DSL it took well into this year. ;PMy favorite was probably the Top Gun/Star Fox (just -so- hot! ^.^). I also liked E.T., Fiddler On The Roof, and Cowboy Bebop/Pokemon.

Here we see a fine definition of "paradox": the one able to most effectively state his own case, for removal, is the one most deserving of remaining in.

Of course, I've more than once wondered what it might be like to stage a special Krypton Factor for senior political positions, especially party leader. But might people wind up voting for the lowest scorer, out of sympathy? ("The Bush Factor", new to Sky this summer)